summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--abs/core/libtiff/CVE-2006-3459-3465.patch669
-rw-r--r--abs/core/libtiff/ChangeLog35
-rw-r--r--abs/core/libtiff/PKGBUILD31
-rw-r--r--abs/core/libtiff/libtiff-CVE-2009-2285.patch22
-rw-r--r--abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch64
-rw-r--r--abs/core/libtiff/tiff2pdf-compression.patch44
-rw-r--r--abs/core/libtiff/tiff2pdf-octal-printf.patch11
-rw-r--r--abs/core/libtiff/tiffsplit-fname-overflow.patch19
8 files changed, 16 insertions, 879 deletions
diff --git a/abs/core/libtiff/CVE-2006-3459-3465.patch b/abs/core/libtiff/CVE-2006-3459-3465.patch
deleted file mode 100644
index cb55b03..0000000
--- a/abs/core/libtiff/CVE-2006-3459-3465.patch
+++ /dev/null
@@ -1,669 +0,0 @@
-diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c
---- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100
-@@ -122,6 +122,7 @@
- {
- static const char module[] = "_TIFFVSetField";
-
-+ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY);
- TIFFDirectory* td = &tif->tif_dir;
- int status = 1;
- uint32 v32, i, v;
-@@ -195,10 +196,12 @@
- break;
- case TIFFTAG_ORIENTATION:
- v = va_arg(ap, uint32);
-+ const TIFFFieldInfo* fip;
- if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) {
-+ fip = _TIFFFieldWithTag(tif, tag);
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "Bad value %lu for \"%s\" tag ignored",
-- v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ v, fip ? fip->field_name : "Unknown");
- } else
- td->td_orientation = (uint16) v;
- break;
-@@ -387,11 +390,15 @@
- * happens, for example, when tiffcp is used to convert between
- * compression schemes and codec-specific tags are blindly copied.
- */
-+ /*
-+ * better not dereference fip if it is NULL.
-+ * -- taviso@google.com 15 Jun 2006
-+ */
- if(fip == NULL || fip->field_bit != FIELD_CUSTOM) {
- TIFFErrorExt(tif->tif_clientdata, module,
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- status = 0;
- break;
- }
-@@ -468,7 +475,7 @@
- if (fip->field_type == TIFF_ASCII)
- _TIFFsetString((char **)&tv->value, va_arg(ap, char *));
- else {
-- tv->value = _TIFFmalloc(tv_size * tv->count);
-+ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value");
- if (!tv->value) {
- status = 0;
- goto end;
-@@ -563,7 +570,7 @@
- }
- }
- if (status) {
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+ TIFFSetFieldBit(tif, fip->field_bit);
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- }
-
-@@ -572,12 +579,12 @@
- return (status);
- badvalue:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"",
-- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- badvalue32:
- TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"",
-- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name);
-+ tif->tif_name, v32, fip ? fip->field_name : "Unknown");
- va_end(ap);
- return (0);
- }
-@@ -813,12 +820,16 @@
- * If the client tries to get a tag that is not valid
- * for the image's codec then we'll arrive here.
- */
-+ /*
-+ * dont dereference fip if it's NULL.
-+ * -- taviso@google.com 15 Jun 2006
-+ */
- if( fip == NULL || fip->field_bit != FIELD_CUSTOM )
- {
- TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField",
- "%s: Invalid %stag \"%s\" (not supported by codec)",
- tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "",
-- _TIFFFieldWithTag(tif, tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- ret_val = 0;
- break;
- }
-diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c
---- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100
-@@ -775,7 +775,8 @@
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag",
- "Internal error, unknown tag 0x%x",
- (unsigned int) tag);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-@@ -789,7 +790,8 @@
- if (!fip) {
- TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName",
- "Internal error, unknown tag %s", field_name);
-- assert(fip != NULL);
-+ /* assert(fip != NULL); */
-+
- /*NOTREACHED*/
- }
- return (fip);
-diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c
---- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100
-@@ -29,6 +29,9 @@
- *
- * Directory Read Support Routines.
- */
-+
-+#include <limits.h>
-+
- #include "tiffiop.h"
-
- #define IGNORE 0 /* tag placeholder used below */
-@@ -81,6 +84,7 @@
- uint16 dircount;
- toff_t nextdiroff;
- int diroutoforderwarning = 0;
-+ int compressionknown = 0;
- toff_t* new_dirlist;
-
- tif->tif_diroff = tif->tif_nextdiroff;
-@@ -147,13 +151,20 @@
- } else {
- toff_t off = tif->tif_diroff;
-
-- if (off + sizeof (uint16) > tif->tif_size) {
-- TIFFErrorExt(tif->tif_clientdata, module,
-- "%s: Can not read TIFF directory count",
-- tif->tif_name);
-- return (0);
-+ /*
-+ * Check for integer overflow when validating the dir_off, otherwise
-+ * a very high offset may cause an OOB read and crash the client.
-+ * -- taviso@google.com, 14 Jun 2006.
-+ */
-+ if (off + sizeof (uint16) > tif->tif_size ||
-+ off > (UINT_MAX - sizeof(uint16))) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "%s: Can not read TIFF directory count",
-+ tif->tif_name);
-+ return (0);
- } else
-- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16));
-+ _TIFFmemcpy(&dircount, tif->tif_base + off,
-+ sizeof (uint16));
- off += sizeof (uint16);
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabShort(&dircount);
-@@ -254,6 +265,7 @@
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
-+
- if (fix >= tif->tif_nfields ||
- tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) {
-
-@@ -264,17 +276,23 @@
- dp->tdir_tag,
- dp->tdir_tag,
- dp->tdir_type);
--
-- TIFFMergeFieldInfo(tif,
-- _TIFFCreateAnonFieldInfo(tif,
-- dp->tdir_tag,
-- (TIFFDataType) dp->tdir_type),
-- 1 );
-+ /*
-+ * creating anonymous fields prior to knowing the compression
-+ * algorithm (ie, when the field info has been merged) could cause
-+ * crashes with pathological directories.
-+ * -- taviso@google.com 15 Jun 2006
-+ */
-+ if (compressionknown)
-+ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag,
-+ (TIFFDataType) dp->tdir_type), 1 );
-+ else goto ignore;
-+
- fix = 0;
- while (fix < tif->tif_nfields &&
- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag)
- fix++;
- }
-+
- /*
- * Null out old tags that we ignore.
- */
-@@ -326,6 +344,7 @@
- dp->tdir_type, dp->tdir_offset);
- if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v))
- goto bad;
-+ else compressionknown++;
- break;
- /* XXX: workaround for broken TIFFs */
- } else if (dp->tdir_type == TIFF_LONG) {
-@@ -540,6 +559,7 @@
- * Attempt to deal with a missing StripByteCounts tag.
- */
- if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * Some manufacturers violate the spec by not giving
- * the size of the strips. In this case, assume there
-@@ -556,7 +576,7 @@
- "%s: TIFF directory is missing required "
- "\"%s\" field, calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- /*
-@@ -580,6 +600,7 @@
- } else if (td->td_nstrips == 1
- && td->td_stripoffset[0] != 0
- && BYTECOUNTLOOKSBAD) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Plexus (and others) sometimes give a value of zero for
- * a tag when they don't know what the correct value is! Try
-@@ -589,13 +610,14 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Bogus \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if(EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- } else if (td->td_planarconfig == PLANARCONFIG_CONTIG
- && td->td_nstrips > 2
- && td->td_compression == COMPRESSION_NONE
- && td->td_stripbytecount[0] != td->td_stripbytecount[1]) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS);
- /*
- * XXX: Some vendors fill StripByteCount array with absolutely
- * wrong values (it can be equal to StripOffset array, for
-@@ -604,7 +626,7 @@
- TIFFWarningExt(tif->tif_clientdata, module,
- "%s: Wrong \"%s\" field, ignoring and calculating from imagelength",
- tif->tif_name,
-- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name);
-+ fip ? fip->field_name : "Unknown");
- if (EstimateStripByteCounts(tif, dir, dircount) < 0)
- goto bad;
- }
-@@ -870,7 +892,13 @@
-
- register TIFFDirEntry *dp;
- register TIFFDirectory *td = &tif->tif_dir;
-- uint16 i;
-+
-+ /* i is used to iterate over td->td_nstrips, so must be
-+ * at least the same width.
-+ * -- taviso@google.com 15 Jun 2006
-+ */
-+
-+ uint32 i;
-
- if (td->td_stripbytecount)
- _TIFFfree(td->td_stripbytecount);
-@@ -947,16 +975,18 @@
- static int
- CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count)
- {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+
- if (count > dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (0);
- } else if (count < dir->tdir_count) {
- TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
- "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name,
-+ fip ? fip->field_name : "Unknown",
- dir->tdir_count, count);
- return (1);
- }
-@@ -970,6 +1000,7 @@
- TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp)
- {
- int w = TIFFDataWidth((TIFFDataType) dir->tdir_type);
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- tsize_t cc = dir->tdir_count * w;
-
- /* Check for overflow. */
-@@ -1013,7 +1044,7 @@
- bad:
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Error fetching data for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- return (tsize_t) 0;
- }
-
-@@ -1039,10 +1070,12 @@
- static int
- cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv)
- {
-+ const TIFFFieldInfo* fip;
- if (denom == 0) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "%s: Rational with zero denominator (num = %lu)",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num);
-+ fip ? fip->field_name : "Unknown", num);
- return (0);
- } else {
- if (dir->tdir_type == TIFF_RATIONAL)
-@@ -1159,6 +1192,20 @@
- static int
- TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir)
- {
-+ /*
-+ * Prevent overflowing the v stack arrays below by performing a sanity
-+ * check on tdir_count, this should never be greater than two.
-+ * -- taviso@google.com 14 Jun 2006.
-+ */
-+ if (dir->tdir_count > 2) {
-+ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
-+ TIFFWarningExt(tif->tif_clientdata, tif->tif_name,
-+ "unexpected count for field \"%s\", %lu, expected 2; ignored.",
-+ fip ? fip->field_name : "Unknown",
-+ dir->tdir_count);
-+ return 0;
-+ }
-+
- switch (dir->tdir_type) {
- case TIFF_BYTE:
- case TIFF_SBYTE:
-@@ -1329,14 +1376,15 @@
- case TIFF_DOUBLE:
- return (TIFFFetchDoubleArray(tif, dir, (double*) v));
- default:
-+ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- /* TIFF_NOTYPE */
- /* TIFF_ASCII */
- /* TIFF_UNDEFINED */
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "cannot read TIFF_ANY type %d for field \"%s\"",
- dir->tdir_type,
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-- return (0);
-+ fip ? fip->field_name : "Unknown");
-+ return (0); }
- }
- return (1);
- }
-@@ -1351,6 +1399,9 @@
- int ok = 0;
- const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag);
-
-+ if (fip == NULL) {
-+ return (0);
-+ }
- if (dp->tdir_count > 1) { /* array of values */
- char* cp = NULL;
-
-@@ -1493,6 +1544,7 @@
- TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1510,9 +1562,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1534,6 +1587,7 @@
- TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1551,9 +1605,10 @@
- check_count = samples;
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-@@ -1574,6 +1629,7 @@
- TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl)
- {
- uint16 samples = tif->tif_dir.td_samplesperpixel;
-+ const TIFFFieldInfo* fip;
- int status = 0;
-
- if (CheckDirCount(tif, dir, (uint32) samples)) {
-@@ -1591,9 +1647,10 @@
-
- for (i = 1; i < check_count; i++)
- if (v[i] != v[0]) {
-+ fip = _TIFFFieldWithTag(tif, dir->tdir_tag);
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "Cannot handle different per-sample values for field \"%s\"",
-- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name);
-+ fip ? fip->field_name : "Unknown");
- goto bad;
- }
- *pl = v[0];
-diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c
---- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100
-@@ -1136,6 +1136,7 @@
- Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap)
- {
- Fax3BaseState* sp = Fax3State(tif);
-+ const TIFFFieldInfo* fip;
-
- assert(sp != 0);
- assert(sp->vsetparent != 0);
-@@ -1181,7 +1182,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c
---- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100
-@@ -722,15 +722,31 @@
- segment_width = TIFFhowmany(segment_width, sp->h_sampling);
- segment_height = TIFFhowmany(segment_height, sp->v_sampling);
- }
-- if (sp->cinfo.d.image_width != segment_width ||
-- sp->cinfo.d.image_height != segment_height) {
-+ if (sp->cinfo.d.image_width < segment_width ||
-+ sp->cinfo.d.image_height < segment_height) {
- TIFFWarningExt(tif->tif_clientdata, module,
- "Improper JPEG strip/tile size, expected %dx%d, got %dx%d",
- segment_width,
- segment_height,
- sp->cinfo.d.image_width,
- sp->cinfo.d.image_height);
-+ }
-+
-+ if (sp->cinfo.d.image_width > segment_width ||
-+ sp->cinfo.d.image_height > segment_height) {
-+ /*
-+ * This case could be dangerous, if the strip or tile size has been
-+ * reported as less than the amount of data jpeg will return, some
-+ * potential security issues arise. Catch this case and error out.
-+ * -- taviso@google.com 14 Jun 2006
-+ */
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "JPEG strip/tile size exceeds expected dimensions,"
-+ "expected %dx%d, got %dx%d", segment_width, segment_height,
-+ sp->cinfo.d.image_width, sp->cinfo.d.image_height);
-+ return (0);
- }
-+
- if (sp->cinfo.d.num_components !=
- (td->td_planarconfig == PLANARCONFIG_CONTIG ?
- td->td_samplesperpixel : 1)) {
-@@ -761,6 +777,22 @@
- sp->cinfo.d.comp_info[0].v_samp_factor,
- sp->h_sampling, sp->v_sampling);
-
-+ /*
-+ * There are potential security issues here for decoders that
-+ * have already allocated buffers based on the expected sampling
-+ * factors. Lets check the sampling factors dont exceed what
-+ * we were expecting.
-+ * -- taviso@google.com 14 June 2006
-+ */
-+ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling ||
-+ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) {
-+ TIFFErrorExt(tif->tif_clientdata, module,
-+ "Cannot honour JPEG sampling factors that"
-+ " exceed those specified.");
-+ return (0);
-+ }
-+
-+
- /*
- * XXX: Files written by the Intergraph software
- * has different sampling factors stored in the
-@@ -1521,15 +1553,18 @@
- {
- JPEGState *sp = JState(tif);
-
-- assert(sp != 0);
-+ /* assert(sp != 0); */
-
- tif->tif_tagmethods.vgetfield = sp->vgetparent;
- tif->tif_tagmethods.vsetfield = sp->vsetparent;
-
-- if( sp->cinfo_initialized )
-- TIFFjpeg_destroy(sp); /* release libjpeg resources */
-- if (sp->jpegtables) /* tag value */
-- _TIFFfree(sp->jpegtables);
-+ if (sp != NULL) {
-+ if( sp->cinfo_initialized )
-+ TIFFjpeg_destroy(sp); /* release libjpeg resources */
-+ if (sp->jpegtables) /* tag value */
-+ _TIFFfree(sp->jpegtables);
-+ }
-+
- _TIFFfree(tif->tif_data); /* release local state */
- tif->tif_data = NULL;
-
-@@ -1541,6 +1576,7 @@
- {
- JPEGState* sp = JState(tif);
- TIFFDirectory* td = &tif->tif_dir;
-+ const TIFFFieldInfo* fip;
- uint32 v32;
-
- assert(sp != NULL);
-@@ -1606,7 +1642,13 @@
- default:
- return (*sp->vsetparent)(tif, tag, ap);
- }
-- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit);
-+
-+ if ((fip = _TIFFFieldWithTag(tif, tag))) {
-+ TIFFSetFieldBit(tif, fip->field_bit);
-+ } else {
-+ return (0);
-+ }
-+
- tif->tif_flags |= TIFF_DIRTYDIRECT;
- return (1);
- }
-@@ -1726,7 +1768,11 @@
- {
- JPEGState* sp = JState(tif);
-
-- assert(sp != NULL);
-+ /* assert(sp != NULL); */
-+ if (sp == NULL) {
-+ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState");
-+ return;
-+ }
-
- (void) flags;
- if (TIFFFieldSet(tif,FIELD_JPEGTABLES))
-diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c
---- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100
-@@ -105,11 +105,16 @@
- * as codes of the form <color><npixels>
- * until we've filled the scanline.
- */
-+ /*
-+ * Ensure the run does not exceed the scanline
-+ * bounds, potentially resulting in a security issue.
-+ * -- taviso@google.com 14 Jun 2006.
-+ */
- op = row;
- for (;;) {
- grey = (n>>6) & 0x3;
- n &= 0x3f;
-- while (n-- > 0)
-+ while (n-- > 0 && npixels < imagewidth)
- SETPIXEL(op, grey);
- if (npixels >= (int) imagewidth)
- break;
-diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c
---- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100
-@@ -768,7 +768,19 @@
- if (tif->tif_flags & TIFF_SWAB)
- TIFFSwabArrayOfShort(up, nsamples);
-
-- for (i = 0; i < nsamples; i += llen, up += llen) {
-+ /*
-+ * if llen is not an exact multiple of nsamples, the decode operation
-+ * may overflow the output buffer, so truncate it enough to prevent that
-+ * but still salvage as much data as possible.
-+ * -- taviso@google.com 14th June 2006
-+ */
-+ if (nsamples % llen)
-+ TIFFWarningExt(tif->tif_clientdata, module,
-+ "%s: stride %lu is not a multiple of sample count, "
-+ "%lu, data truncated.", tif->tif_name, llen, nsamples);
-+
-+
-+ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) {
- switch (sp->user_datafmt) {
- case PIXARLOGDATAFMT_FLOAT:
- horizontalAccumulateF(up, llen, sp->stride,
-diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c
---- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000
-+++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100
-@@ -31,6 +31,8 @@
- #include "tiffiop.h"
- #include <stdio.h>
-
-+#include <limits.h>
-+
- int TIFFFillStrip(TIFF*, tstrip_t);
- int TIFFFillTile(TIFF*, ttile_t);
- static int TIFFStartStrip(TIFF*, tstrip_t);
-@@ -272,7 +274,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) {
-+ /*
-+ * This sanity check could potentially overflow, causing an OOB read.
-+ * verify that offset + bytecount is > offset.
-+ * -- taviso@google.com 14 Jun 2006
-+ */
-+ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[strip])) {
- /*
- * This error message might seem strange, but it's
- * what would happen if a read were done instead.
-@@ -470,7 +478,13 @@
- if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata)
- _TIFFfree(tif->tif_rawdata);
- tif->tif_flags &= ~TIFF_MYBUFFER;
-- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) {
-+ /*
-+ * We must check this calculation doesnt overflow, potentially
-+ * causing an OOB read.
-+ * -- taviso@google.com 15 Jun 2006
-+ */
-+ if (td->td_stripoffset[tile] + bytecount > tif->tif_size ||
-+ bytecount > (UINT_MAX - td->td_stripoffset[tile])) {
- tif->tif_curtile = NOTILE;
- return (0);
- }
diff --git a/abs/core/libtiff/ChangeLog b/abs/core/libtiff/ChangeLog
deleted file mode 100644
index 88edcc7..0000000
--- a/abs/core/libtiff/ChangeLog
+++ /dev/null
@@ -1,35 +0,0 @@
-2010-06-20 Eric Belanger <eric@archlinux.org>
-
- * libtiff 3.9.4-1
- * Upstream update
-
-2009-11-05 Eric Belanger <eric@archlinux.org>
-
- * libtiff 3.9.2-1
- * Upstream update
-
-2009-08-28 Eric Belanger <eric@archlinux.org>
-
- * libtiff 3.9.1-1
- * Upstream update
-
-2009-08-26 Eric Belanger <eric@archlinux.org>
-
- * libtiff 3.9.0-1
- * Upstream update
- * Updated url
- * Updated patches
-
-2009-08-14 Eric Belanger <eric@archlinux.org>
-
- * libtiff 3.8.2-6
- * Added security fixes (close FS#15931)
-
-2008-09-05 Eric Belanger <eric@archlinux.org>
-
- * libtiff 3.8.2-4
- * Applied patch to fix buffer underflow in LZW decoding (tiff-3.8.2-CVE-2008-2327.patch)
- * Added license
- * Added freeglut optdepends
- * FHS man pages
- * Added ChangeLog
diff --git a/abs/core/libtiff/PKGBUILD b/abs/core/libtiff/PKGBUILD
index ed80a2b..2606aa1 100644
--- a/abs/core/libtiff/PKGBUILD
+++ b/abs/core/libtiff/PKGBUILD
@@ -1,32 +1,33 @@
-# $Id: PKGBUILD 83314 2010-06-20 21:43:27Z eric $
-# Maintainer: Eric Belanger <eric@archlinux.org>
-# Contributor: dorphell <dorphell@archlinux.org>
+# $Id: PKGBUILD 162307 2012-06-24 20:44:52Z eric $
+# Maintainer: Eric BĂ©langer <eric@archlinux.org>
pkgname=libtiff
-pkgver=3.9.4
+pkgver=4.0.2
pkgrel=1
pkgdesc="Library for manipulation of TIFF images"
arch=('i686' 'x86_64')
url="http://www.remotesensing.org/libtiff/"
license=('custom')
-depends=('libjpeg' 'zlib')
-makedepends=('libgl' 'freeglut' 'libxmu' 'libxi')
+depends=('libjpeg' 'zlib' 'xz')
+makedepends=('freeglut')
optdepends=('freeglut: for using tiffgt')
options=('!libtool')
-source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz \
- libtiff-CVE-2009-2285.patch)
-md5sums=('2006c1bdd12644dbf02956955175afd6' 'ff61077408727a82281f77a94f555e2a')
-sha1sums=('a4e32d55afbbcabd0391a9c89995e8e8a19961de' 'eadce8c8bd72ea9c74f35300bf299131813b0c8b')
+source=(ftp://ftp.remotesensing.org/pub/libtiff/tiff-${pkgver}.tar.gz)
+sha1sums=('d84b7b33a6cfb3d15ca386c8c16b05047f8b5352')
build() {
cd "${srcdir}/tiff-${pkgver}"
- patch -p1 < ../libtiff-CVE-2009-2285.patch || return 1
- ./configure --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man || return 1
- make || return 1
+ ./configure --prefix=/usr
+ make
+}
+
+check() {
+ cd "${srcdir}/tiff-${pkgver}"
+ make check
}
package() {
cd "${srcdir}/tiff-${pkgver}"
- make DESTDIR="${pkgdir}" install || return 1
- install -D -m644 COPYRIGHT "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" || return 1
+ make DESTDIR="${pkgdir}" install
+ install -D -m644 COPYRIGHT "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}
diff --git a/abs/core/libtiff/libtiff-CVE-2009-2285.patch b/abs/core/libtiff/libtiff-CVE-2009-2285.patch
deleted file mode 100644
index 435a84b..0000000
--- a/abs/core/libtiff/libtiff-CVE-2009-2285.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: tiff-3.8.2/libtiff/tif_lzw.c
-===================================================================
---- tiff-3.8.2.orig/libtiff/tif_lzw.c
-+++ tiff-3.8.2/libtiff/tif_lzw.c
-@@ -421,7 +421,7 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
-- if (code == CODE_CLEAR) {
-+ if (code >= CODE_CLEAR) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "LZWDecode: Corrupted LZW table at scanline %d",
- tif->tif_row);
-@@ -624,7 +624,7 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
- if (code == CODE_EOI)
- break;
-- if (code == CODE_CLEAR) {
-+ if (code >= CODE_CLEAR) {
- TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
- "LZWDecode: Corrupted LZW table at scanline %d",
- tif->tif_row);
diff --git a/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch b/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch
deleted file mode 100644
index e6d74a6..0000000
--- a/abs/core/libtiff/tiff-3.8.2-CVE-2008-2327.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Fixes security issues in libTIFF's handling of LZW-encoded
-images. The use of uninitialized data could lead to a buffer
-underflow and a crash or arbitrary code execution.
-
-CVE-ID: CVE-2008-2327
-Security bug: https://bugs.gentoo.org/show_bug.cgi?id=234080
-
-Index: tiff-3.8.2/libtiff/tif_lzw.c
-===================================================================
---- tiff-3.8.2.orig/libtiff/tif_lzw.c
-+++ tiff-3.8.2/libtiff/tif_lzw.c
-@@ -237,6 +237,12 @@ LZWSetupDecode(TIFF* tif)
- sp->dec_codetab[code].length = 1;
- sp->dec_codetab[code].next = NULL;
- } while (code--);
-+ /*
-+ * Zero-out the unused entries
-+ */
-+ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0,
-+ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t));
-+
- }
- return (1);
- }
-@@ -408,12 +414,19 @@ LZWDecode(TIFF* tif, tidata_t op0, tsize
- break;
- if (code == CODE_CLEAR) {
- free_entp = sp->dec_codetab + CODE_FIRST;
-+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask-1;
- NextCode(tif, sp, bp, code, GetNextCode);
- if (code == CODE_EOI)
- break;
-+ if (code == CODE_CLEAR) {
-+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+ "LZWDecode: Corrupted LZW table at scanline %d",
-+ tif->tif_row);
-+ return (0);
-+ }
- *op++ = (char)code, occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
-@@ -604,12 +617,19 @@ LZWDecodeCompat(TIFF* tif, tidata_t op0,
- break;
- if (code == CODE_CLEAR) {
- free_entp = sp->dec_codetab + CODE_FIRST;
-+ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t));
- nbits = BITS_MIN;
- nbitsmask = MAXCODE(BITS_MIN);
- maxcodep = sp->dec_codetab + nbitsmask;
- NextCode(tif, sp, bp, code, GetNextCodeCompat);
- if (code == CODE_EOI)
- break;
-+ if (code == CODE_CLEAR) {
-+ TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
-+ "LZWDecode: Corrupted LZW table at scanline %d",
-+ tif->tif_row);
-+ return (0);
-+ }
- *op++ = code, occ--;
- oldcodep = sp->dec_codetab + code;
- continue;
diff --git a/abs/core/libtiff/tiff2pdf-compression.patch b/abs/core/libtiff/tiff2pdf-compression.patch
deleted file mode 100644
index 2dae2dc..0000000
--- a/abs/core/libtiff/tiff2pdf-compression.patch
+++ /dev/null
@@ -1,44 +0,0 @@
---- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35
-+++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36
-@@ -937,7 +937,7 @@
-
- #ifdef JPEG_SUPPORT
- if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){
-- if(t2p->pdf_defaultcompressionquality<100 ||
-+ if(t2p->pdf_defaultcompressionquality>100 ||
- t2p->pdf_defaultcompressionquality<1){
- t2p->pdf_defaultcompressionquality=0;
- }
-@@ -945,25 +945,17 @@
- #endif
- #ifdef ZIP_SUPPORT
- if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){
-- switch (t2p->pdf_defaultcompressionquality){
-- case 1: case 10: case 11: case 12: case 13: case 14: case 15:
-- case 101: case 110: case 111: case 112: case 113: case 114: case 115:
-- case 201: case 210: case 211: case 212: case 213: case 214: case 215:
-- case 301: case 310: case 311: case 312: case 313: case 314: case 315:
-- case 401: case 410: case 411: case 412: case 413: case 414: case 415:
-- case 501: case 510: case 511: case 512: case 513: case 514: case 515:
-- case 601: case 610: case 611: case 612: case 613: case 614: case 615:
-- case 701: case 710: case 711: case 712: case 713: case 714: case 715:
-- case 801: case 810: case 811: case 812: case 813: case 814: case 815:
-- case 901: case 910: case 911: case 912: case 913: case 914: case 915:
-- break;
-- default:
-- t2p->pdf_defaultcompressionquality=0;
-+ uint16 m=t2p->pdf_defaultcompressionquality%100;
-+ if(t2p->pdf_defaultcompressionquality/100 > 9 ||
-+ (m>1 && m<10) || m>15){
-+ t2p->pdf_defaultcompressionquality=0;
- }
- if(t2p->pdf_defaultcompressionquality%100 !=0){
-+ t2p->pdf_defaultcompressionquality/=100;
-+ t2p->pdf_defaultcompressionquality*=100;
- TIFFError(
- TIFF2PDF_MODULE,
-- "PNG Group predictor differencing not implemented, assuming compresion quality %u",
-+ "PNG Group predictor differencing not implemented, assuming compression quality %u",
- t2p->pdf_defaultcompressionquality);
- }
- t2p->pdf_defaultcompressionquality%=100;
diff --git a/abs/core/libtiff/tiff2pdf-octal-printf.patch b/abs/core/libtiff/tiff2pdf-octal-printf.patch
deleted file mode 100644
index f35b072..0000000
--- a/abs/core/libtiff/tiff2pdf-octal-printf.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500
-+++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400
-@@ -3668,7 +3668,7 @@
- written += TIFFWriteFile(output, (tdata_t) "(", 1);
- for (i=0;i<len;i++){
- if((pdfstr[i]&0x80) || (pdfstr[i]==127) || (pdfstr[i]<32)){
-- sprintf(buffer, "\\%.3o", pdfstr[i]);
-+ sprintf(buffer, "\\%.3hho", pdfstr[i]);
- written += TIFFWriteFile(output, (tdata_t) buffer, 4);
- } else {
- switch (pdfstr[i]){
diff --git a/abs/core/libtiff/tiffsplit-fname-overflow.patch b/abs/core/libtiff/tiffsplit-fname-overflow.patch
deleted file mode 100644
index cc22589..0000000
--- a/abs/core/libtiff/tiffsplit-fname-overflow.patch
+++ /dev/null
@@ -1,19 +0,0 @@
---- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500
-+++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400
-@@ -61,14 +61,13 @@
- return (-3);
- }
- if (argc > 2)
-- strcpy(fname, argv[2]);
-+ snprintf(fname, sizeof(fname), "%s", argv[2]);
- in = TIFFOpen(argv[1], "r");
- if (in != NULL) {
- do {
- char path[1024+1];
- newfilename();
-- strcpy(path, fname);
-- strcat(path, ".tif");
-+ snprintf(path, sizeof(path), "%s.tif", fname);
- out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl");
- if (out == NULL)
- return (-2);